Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think we agree, but either your meaning or your words are giving me pause.

> you can treat your account ID as non-secret because AWS does. That doesn't directly follow;

It does follow, and not only that, but not only “can” you treat them as non-secret, you _must_ treat them as non-secret.

> the difference between AWS's point of view and your company's point of view means there are things you might care about that AWS does not

The point here is that if you want to have good security, you _cannot_ “care” about this if your service provider does not also care about it. If you “care” about your ID being public, but your provider does not, then if you want to have good security you must either find a way to not care, or find another provider.



Correlation of bucket ownership isn't a security issue at all. I never used that word in my posts, and the author of this article also never suggested that it was. That's the point--there are other considerations that AWS does not care about, but your business does. Your cloud deployment needs to be designed such that the account IDs do not leak information that your business doesn't want to be revealed. You don't get the non-secretness for "free"--you have to think about it and be careful on how you isolate things into accounts. As far as I can tell, we agree on all of this and have just suffered some misunderstanding in this thread.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: